Cisco has disclosed a critical security vulnerability in its IOS XE Wireless LAN Controllers that could allow unauthorized attackers to gain complete control of affected devices. This vulnerability disclosure comes as part of Cisco’s May 2025 Semiannual IOS and IOS XE Software Security Advisory Bundled Publication, which includes fixes for multiple security issues in Cisco products. “This vulnerability represents a significant risk to enterprise networks using affected Cisco wireless controllers,” said a cybersecurity expert familiar with the issue. According to Cisco’s security advisory released on May 7, the flaw stems from “the presence of a hard-coded JSON Web Token (JWT) on an affected system”. Security researchers note that attackers can exploit this vulnerability by sending specially crafted HTTPS requests to the AP image download interface. The vulnerability, tracked as CVE-2025-20188, resides in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs). Security bulletin information indicates the vulnerability was discovered internally by X.B. of the Cisco Advanced Security Initiatives Group during security testing. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. “Organizations should prioritize patching this vulnerability immediately,” said another security analyst. The flaw, assigned the maximum severity rating of 10.0, enables unauthenticated remote attackers to upload arbitrary files, traverse directories, and execute commands with root privileges on affected systems. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 08 May 2025 03:15:00 +0000